kube-controller-manager: disable authn/z on insecure port

This is the old behaviour and we did not intent to change it due to enabled authn/z in general.
As the kube-apiserver this sets the "system:unsecured" user info.

cmd/controller-manager/app/serve.go

@@ -39,8 +39,13 @@ func BuildHandlerChain(apiHandler http.Handler, authorizationInfo *apiserver.Aut
 	requestInfoResolver := &apirequest.RequestInfoFactory{}
 	failedHandler := genericapifilters.Unauthorized(legacyscheme.Codecs, false)
 
-	handler := genericapifilters.WithAuthorization(apiHandler, authorizationInfo.Authorizer, legacyscheme.Codecs)
+	handler := apiHandler
+	if authorizationInfo != nil {
+		handler = genericapifilters.WithAuthorization(apiHandler, authorizationInfo.Authorizer, legacyscheme.Codecs)
+	}
+	if authenticationInfo != nil {
 		handler = genericapifilters.WithAuthentication(handler, authenticationInfo.Authenticator, failedHandler)
+	}
 	handler = genericapifilters.WithRequestInfo(handler, requestInfoResolver)
 	handler = genericfilters.WithPanicRecovery(handler)
 

cmd/kube-controller-manager/app/BUILD

@@ -111,6 +111,7 @@ go_library(
         "//staging/src/k8s.io/apimachinery/pkg/util/sets:go_default_library",
         "//staging/src/k8s.io/apimachinery/pkg/util/uuid:go_default_library",
         "//staging/src/k8s.io/apimachinery/pkg/util/wait:go_default_library",
+        "//staging/src/k8s.io/apiserver/pkg/server:go_default_library",
         "//staging/src/k8s.io/apiserver/pkg/server/mux:go_default_library",
         "//staging/src/k8s.io/apiserver/pkg/util/feature:go_default_library",
         "//staging/src/k8s.io/apiserver/pkg/util/flag:go_default_library",

cmd/kube-controller-manager/app/controllermanager.go

@@ -25,19 +25,19 @@ import (
 	"fmt"
 	"io/ioutil"
 	"math/rand"
+	"net/http"
 	"os"
 	"time"
 
 	"github.com/golang/glog"
 	"github.com/spf13/cobra"
 
-	"net/http"
-
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
 	"k8s.io/apimachinery/pkg/util/sets"
 	"k8s.io/apimachinery/pkg/util/uuid"
 	"k8s.io/apimachinery/pkg/util/wait"
+	"k8s.io/apiserver/pkg/server"
 	"k8s.io/apiserver/pkg/server/mux"
 	apiserverflag "k8s.io/apiserver/pkg/util/flag"
 	cacheddiscovery "k8s.io/client-go/discovery/cached"
@@ -160,7 +160,8 @@ func Run(c *config.CompletedConfig, stopCh <-chan struct{}) error {
 	}
 	if c.InsecureServing != nil {
 		unsecuredMux = genericcontrollermanager.NewBaseHandler(&c.ComponentConfig.Debugging)
-		handler := genericcontrollermanager.BuildHandlerChain(unsecuredMux, &c.Authorization, &c.Authentication)
+		insecureSuperuserAuthn := server.AuthenticationInfo{Authenticator: &server.InsecureSuperuser{}}
+		handler := genericcontrollermanager.BuildHandlerChain(unsecuredMux, nil, &insecureSuperuserAuthn)
 		if err := c.InsecureServing.Serve(handler, 0, stopCh); err != nil {
 			return err
 		}

pkg/kubeapiserver/server/BUILD

@@ -10,7 +10,6 @@ go_library(
     srcs = ["insecure_handler.go"],
     importpath = "k8s.io/kubernetes/pkg/kubeapiserver/server",
     deps = [
-        "//staging/src/k8s.io/apiserver/pkg/authentication/user:go_default_library",
         "//staging/src/k8s.io/apiserver/pkg/endpoints/filters:go_default_library",
         "//staging/src/k8s.io/apiserver/pkg/server:go_default_library",
         "//staging/src/k8s.io/apiserver/pkg/server/filters:go_default_library",

pkg/kubeapiserver/server/insecure_handler.go

@@ -19,7 +19,6 @@ package server
 import (
 	"net/http"
 
-	"k8s.io/apiserver/pkg/authentication/user"
 	genericapifilters "k8s.io/apiserver/pkg/endpoints/filters"
 	"k8s.io/apiserver/pkg/server"
 	genericfilters "k8s.io/apiserver/pkg/server/filters"
@@ -32,7 +31,7 @@ import (
 func BuildInsecureHandlerChain(apiHandler http.Handler, c *server.Config) http.Handler {
 	handler := apiHandler
 	handler = genericapifilters.WithAudit(handler, c.AuditBackend, c.AuditPolicyChecker, c.LongRunningFunc)
-	handler = genericapifilters.WithAuthentication(handler, insecureSuperuser{}, nil)
+	handler = genericapifilters.WithAuthentication(handler, server.InsecureSuperuser{}, nil)
 	handler = genericfilters.WithCORS(handler, c.CorsAllowedOriginList, nil, nil, nil, "true")
 	handler = genericfilters.WithTimeoutForNonLongRunningRequests(handler, c.LongRunningFunc, c.RequestTimeout)
 	handler = genericfilters.WithMaxInFlightLimit(handler, c.MaxRequestsInFlight, c.MaxMutatingRequestsInFlight, c.LongRunningFunc)
@@ -42,15 +41,3 @@ func BuildInsecureHandlerChain(apiHandler http.Handler, c *server.Config) http.H
 
 	return handler
 }
-
-// insecureSuperuser implements authenticator.Request to always return a superuser.
-// This is functionally equivalent to skipping authentication and authorization,
-// but allows apiserver code to stop special-casing a nil user to skip authorization checks.
-type insecureSuperuser struct{}
-
-func (insecureSuperuser) AuthenticateRequest(req *http.Request) (user.Info, bool, error) {
-	return &user.DefaultInfo{
-		Name:   "system:unsecured",
-		Groups: []string{user.SystemPrivilegedGroup, user.AllAuthenticated},
-	}, true, nil
-}

staging/src/k8s.io/apiserver/pkg/server/deprecated_insecure_serving.go

@@ -23,6 +23,7 @@ import (
 
 	"github.com/golang/glog"
 
+	"k8s.io/apiserver/pkg/authentication/user"
 	"k8s.io/client-go/rest"
 )
 
@@ -70,3 +71,15 @@ func (s *DeprecatedInsecureServingInfo) NewLoopbackClientConfig() (*rest.Config,
 		Burst: 100,
 	}, nil
 }
+
+// InsecureSuperuser implements authenticator.Request to always return a superuser.
+// This is functionally equivalent to skipping authentication and authorization,
+// but allows apiserver code to stop special-casing a nil user to skip authorization checks.
+type InsecureSuperuser struct{}
+
+func (InsecureSuperuser) AuthenticateRequest(req *http.Request) (user.Info, bool, error) {
+	return &user.DefaultInfo{
+		Name:   "system:unsecured",
+		Groups: []string{user.SystemPrivilegedGroup, user.AllAuthenticated},
+	}, true, nil
+}

test/integration/kube_controller_manager/serving_test.go

@@ -176,6 +176,11 @@ users:
 			"--kubeconfig", apiserverConfig.Name(),
 			"--leader-elect=false",
 		}, "/healthz", true, false, intPtr(http.StatusOK), nil},
+		{"/metrics without auhn/z", []string{
+			"--kubeconfig", apiserverConfig.Name(),
+			"--kubeconfig", apiserverConfig.Name(),
+			"--leader-elect=false",
+		}, "/metrics", true, false, intPtr(http.StatusForbidden), intPtr(http.StatusOK)},
 		{"authorization skipped for /healthz with authn/authz", []string{
 			"--port=0",
 			"--authentication-kubeconfig", apiserverConfig.Name(),
@@ -199,12 +204,11 @@ users:
 			"--leader-elect=false",
 		}, "/metrics", false, false, intPtr(http.StatusForbidden), nil},
 		{"not authorized /metrics with BROKEN authn/authz", []string{
-			"--port=0",
 			"--authentication-kubeconfig", apiserverConfig.Name(),
 			"--authorization-kubeconfig", brokenApiserverConfig.Name(),
 			"--kubeconfig", apiserverConfig.Name(),
 			"--leader-elect=false",
-		}, "/metrics", false, false, intPtr(http.StatusInternalServerError), nil},
+		}, "/metrics", false, false, intPtr(http.StatusInternalServerError), intPtr(http.StatusOK)},
 		{"always-allowed /metrics with BROKEN authn/authz", []string{
 			"--port=0",
 			"--authentication-skip-lookup", // to survive unaccessible extensions-apiserver-authentication configmap